Security Alert Device Alertwith Lateral Movement

//Detect when a device triggers a Defender for Endpoint alert where Defender for Identity has also detected a lateral movement path //Data connector required for this query - Security Alert (free table that other Defender products send alert info to) SecurityAlert | where ProviderName == "MDATP" | project TimeGenerated, AlertName, CompromisedEntity | join kind=inner ( IdentityDirectoryEvents | where ActionType == "Potential lateral movement path identified") on $left.CompromisedEntity == $right.DeviceName | distinct DeviceName, AlertName, AccountName, ReportId

Explanation

This query looks for instances where a device triggers an alert in Microsoft Defender for Endpoint, and at the same time, Microsoft Defender for Identity detects a potential lateral movement path. It uses the Security Alert data connector and retrieves information such as the time the alert was generated, the name of the alert, and the compromised entity. It then joins this information with the IdentityDirectoryEvents data, filtering for events where the action type is "Potential lateral movement path identified." The query returns distinct information about the device, alert name, account name, and report ID.

Details

Matt Zorich

Released: June 17, 2022

Tables

SecurityAlertIdentityDirectoryEvents

Keywords

SecurityAlert,ProviderName,MDATP,TimeGenerated,AlertName,CompromisedEntity,IdentityDirectoryEvents,ActionType,Potentiallateralmovementpathidentified,DeviceName,AccountName,ReportId

Operators

whereprojectjoinkind=innerondistinct

KQL Search